On Mon, Nov 4, 2013 at 6:04 AM, Christophe Bal <projet...@gmail.com> wrote: > Indeed there are small security problems and big ones. The use of eval or > exec can cause real big problems. I'll try to show that in private. Not > here... I'm not sure to do such a hack but if the actual version uses exec > or eval, it would be possible. > > My remark is just to help and not to criticize freely. Sorry for my English > because this is not my natural language. >
Fortunately, in the context of https://cloud.sagemath.com there are absolutely no security issues associated with using exec, eval, etc. This is because all relevant Python code is run in an isolated virtual machine, in which the user is explicitly given -- by the security model -- full shell access (in that VM). That's made clear in this case, since there is literally a terminal in cloud.sagemath. There are other contexts where exec/eval must be avoided, but this isn't one of them, fortunately. William > Best regards. > Christophe > > Le 4 nov. 2013 09:46, "Nils Bruin" <nbr...@sfu.ca> a écrit : > >> On Sunday, November 3, 2013 11:19:45 PM UTC-8, projetmbc wrote: >>> >>> The use of AST is a pretty way BUT you must not use eval or exec because >>> of real security issues. It's easy to find explanations about that on the >>> web. >> >> >> If you read these explanations, you'll see that by the same logic, you >> shouldn't run a notebook server because of real security issues (and if you >> don't understand that, then you should indeed not run a notebook server >> accessible to other people). The code that is input into a notebook is >> already run via something equivalent to exec (try and think of another way >> of letting sage do what it does). The code proposed is not less secure than >> what we're already doing in the notebook. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "sage-support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to sage-support+unsubscr...@googlegroups.com. >> To post to this group, send email to sage-support@googlegroups.com. >> Visit this group at http://groups.google.com/group/sage-support. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "sage-support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-support+unsubscr...@googlegroups.com. > To post to this group, send email to sage-support@googlegroups.com. > Visit this group at http://groups.google.com/group/sage-support. > For more options, visit https://groups.google.com/groups/opt_out. -- William Stein Professor of Mathematics University of Washington http://wstein.org -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-support+unsubscr...@googlegroups.com. To post to this group, send email to sage-support@googlegroups.com. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/groups/opt_out.
